This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mail protection internal mailserver on different port

our mailserver listens on port 2525 (Exchange, recipient check works on different connector), i fiddled around with a DNAT rule, but it did not work.

On standard frontend connector with port 25 the recipient filter does not work as expected (flaw by design).

We want to do recipient validation should with server request from mail protection, not by ldap query (two issues with that: no ldaps + contacts are not resolved).

How we can do this?



This thread was automatically locked due to age.
Parents
  • Hallo,

    Please insert a picture of the Edit of the DNAT that didn't work.

    Also confirm that the traffic flow is:

         Internet <--- port 25 --> UTM SMTP Proxy <--- port 2525 ---> Mail server

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, yes, the flow is as you mentioned. Maybe just the server verification fails, I did not disable it. But it's all about the verification to SMTP 2525 to Exchange, otherwise the recipient filter does not work correctly. I could choose any other port than 25, that's is the problem. Recipient Filter on frontend connectors with Exchange 2013 upwards is working different.



    new screenshot
    [edited by: NV6 at 7:16 PM (GMT -7) on 17 Mar 2022]
  • A picture of the Bearbeitung of that rule, please.  Also open "SMTP-Empfang ex.kif.local" so that we can see what that is.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I did a new screenshot and this is the target:

  • That's close, but you need something like:

         DNAT : Internet IPv4 -> SMTP -> External (Address) :to Exchange with SMTP-Empfang Exchange

    2022-03-21 CORRECTION to not bypass the SMTP Proxy: 'DNAT : Internal (Address) -> SMTP -> Exchange : to SMTP-Empfang Exchange' which is what you had originally.  Apparently, recipient validation does not use port 25!

    If Exchange also sends outbound mail on 2525, you will also want a rule like:

         SNAT : Exchange -> {port 2525} -> Internet IPv4 : from SMTP

    However, if you want outbound mail to be processed by the SMTP Proxy, Exchange must use the UTM as a smart host and you will instead need something like:

         DNAT : Exchange -> {port 2525} -> Internal (Address) : to SMTP

    Glück gehabt ?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, not really "Glück". With that incoming rule I bypass the mailprotection completely. From my point of view, traffic should originate from the UTM itself, but I did not manage it with any DNAT rule I tried.

  • Ah, my mistake, I'll correct my post above.  Apparently, recipient validation does not use port 25!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • yes, validation must be performed on SMTP backend connector with Port 2525. I can not change to port 25, this way smtp frontend service would crash on Exchange 2013 and above. I use now mail users instead of mail contatcs, these could be validated by the UTM and AD query. Unfortunately, it still works only with LDAP unencrypted with UTM, not LDAPS

Reply
  • yes, validation must be performed on SMTP backend connector with Port 2525. I can not change to port 25, this way smtp frontend service would crash on Exchange 2013 and above. I use now mail users instead of mail contatcs, these could be validated by the UTM and AD query. Unfortunately, it still works only with LDAP unencrypted with UTM, not LDAPS

Children
  • I meant that the SMTP Proxy apparently isn't using port 25 for recipient validation, otherwise, your original DNA should have been adequate.  I assume you also tried 'DNAT : Exchange -> {port 2525} -> Internal (Address) : to SMTP'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA